Description
The airflow auth manager is responsible for both authentication and authorization of the user. By splitting the authentication component out into a separate module, authorization could be done by a separate provider, e.g. using fab to provide authentication via OIDC and then using keycloak to provide authorization
Use case/motivation
The casbin authorization library is a powerful policy engine, but does not support authentication. It expects users to already have their identity authenticated, and then provides those users with roles based on the policy. A good fit for the airflow security model would be the RBAC with domains model. However Casbin alone would not provide enough functionality to create an auth manager, so another library would be required to perform authorization. Therefore if a 'casbin' provider were to be created, it would not actually be using casbin for the authentication, but rather would need some other functionality added from a different library. For example you could use fab to authenticate the user and then use a casbin model to provide authorization.
Related issues
No response
Are you willing to submit a PR?
Code of Conduct
Description
The airflow auth manager is responsible for both authentication and authorization of the user. By splitting the authentication component out into a separate module, authorization could be done by a separate provider, e.g. using fab to provide authentication via OIDC and then using keycloak to provide authorization
Use case/motivation
The casbin authorization library is a powerful policy engine, but does not support authentication. It expects users to already have their identity authenticated, and then provides those users with roles based on the policy. A good fit for the airflow security model would be the RBAC with domains model. However Casbin alone would not provide enough functionality to create an auth manager, so another library would be required to perform authorization. Therefore if a 'casbin' provider were to be created, it would not actually be using casbin for the authentication, but rather would need some other functionality added from a different library. For example you could use fab to authenticate the user and then use a casbin model to provide authorization.
Related issues
No response
Are you willing to submit a PR?
Code of Conduct